Meteor Update集合 - 未捕获错误：不允许。 不受信任的代码只能按ID更新文档。 [403]

Question

I am Learnign Meteor and came across this situation i was following along a Meteor tutorial on tuts plus. the code is exactly the same in video the update of collection occurs but in my browser it shows this error:

Uncaught Error: Not permitted. Untrusted code may only update documents by ID. [403]

The code is here:

Template.person.events({
'click': function (e, t) {
  Session.set("edit-"+ t.data._id, true);
},
'keypress input': function(e,t){
  if(e.keyCode === 13){

    var docid = Session.get("edit-"+ this._id);
    People.update(t.data, {$set: {name: e.currentTarget.value}});
    Session.set("edit-"+ t.data._id, false);
  }
}
});

Answer 1

For code that runs on the client side/browser side you can only use an _id field as the query. On the server you can run it as you please.

Modify your code so you get the document first then use its _id to perform an update.

var person = People.findOne(t.data);

People.update({_id: person._id}, {$set: {name: e.currentTarget.value}});

I assume t.data is some kind of query? If its an _id try using {_id: t.data as the query instead. Either way so long as the selector of the update only uses an _id it should be fine.

The reason this might work on the tutorial you're following is this change was introduced more recently to lock down security.

Answer 2

  Template.person.events({
    'click': function (e, t) {
      Session.set('edit-' + t.data._id, true);
    },
    'keypress input' : function(e, t) {
      if (e.keyCode == 13) {
        People.update(t.data._id, { $set: { name: e.currentTarget.value }});
        Session.set('edit-' + t.data._id, false);
      }
    }
  });